docs: Add runtime.mcp.allowed_hosts configuration

claudespice · lukekim · commit 3ebf55ed8dd1 · 2026-05-07T08:53:11.000-07:00
Document the new runtime.mcp.allowed_hosts setting that controls
which Host header values are accepted on the /v1/mcp endpoint
for DNS rebinding attack prevention.
diff --git a/website/docs/components/tools/mcp.md b/website/docs/components/tools/mcp.md
@@ -62,6 +62,20 @@ tools:
     from: mcp:http://localhost:8090/v1/mcp
 ```
 
+### Allowed Hosts
+
+By default the `/v1/mcp` endpoint only accepts requests with a `Host` header matching `localhost`, `127.0.0.1`, or `::1` to prevent DNS rebinding attacks. To allow additional hosts, configure [`runtime.mcp.allowed_hosts`](../../reference/spicepod/runtime#runtimemcp):
+
+```yaml
+runtime:
+  mcp:
+    allowed_hosts:
+      - localhost
+      - my-host.internal:8090
+```
+
+Set `allowed_hosts: ["*"]` to disable host checking entirely.
+
 ## Configuration Options
 
 ### `from`
diff --git a/website/docs/features/large-language-models/mcp.md b/website/docs/features/large-language-models/mcp.md
@@ -70,6 +70,20 @@ tools:
     from: mcp:http://localhost:8090/v1/mcp
 ```
 
+### Allowed Hosts
+
+By default the `/v1/mcp` endpoint only accepts requests with a `Host` header matching `localhost`, `127.0.0.1`, or `::1` to prevent DNS rebinding attacks. To allow additional hosts, configure [`runtime.mcp.allowed_hosts`](../../reference/spicepod/runtime#runtimemcp):
+
+```yaml
+runtime:
+  mcp:
+    allowed_hosts:
+      - localhost
+      - my-host.internal:8090
+```
+
+Set `allowed_hosts: ["*"]` to disable host checking entirely.
+
 ## Additional Configuration Options
 
 ### `from`
diff --git a/website/docs/reference/spicepod/runtime.md b/website/docs/reference/spicepod/runtime.md
@@ -554,6 +554,39 @@ runtime:
 | `max_message_size`          | Yes      | -       | Maximum size of a single Arrow Flight message.                       |
 | `do_put_rate_limit_enabled` | Yes      | `true`  | Whether rate limiting is applied to `DoPut` Arrow Flight operations. |
 
+## `runtime.mcp`
+
+Configures settings for the Spice MCP server endpoint (`/v1/mcp`).
+
+### `runtime.mcp.allowed_hosts`
+
+Controls which `Host` header values are accepted on the `/v1/mcp` endpoint. This prevents [DNS rebinding](https://en.wikipedia.org/wiki/DNS_rebinding) attacks against the MCP server.
+
+| Behavior | Configuration |
+| --- | --- |
+| **Default** (not set) | Only `localhost`, `127.0.0.1`, and `::1` are permitted. Requests with any other `Host` value receive `403 Forbidden`. |
+| **Explicit list** | Replaces the defaults entirely. Only the listed hosts are accepted. |
+| **Wildcard** (`["*"]`) | Disables host checking — all `Host` header values are accepted. |
+
+```yaml
+runtime:
+  mcp:
+    allowed_hosts:
+      - localhost
+      - my-host.internal:8090
+```
+
+To disable host checking entirely:
+
+```yaml
+runtime:
+  mcp:
+    allowed_hosts:
+      - "*"
+```
+
+Each entry can be a bare hostname (`example.com`), a host-port pair (`example.com:8090`), or a full origin URL (`https://example.com`).
+
 ## `runtime.ready_state`
 
 Controls when the runtime readiness probe (`/v1/ready`) reports the runtime as ready. This is particularly useful for Kubernetes readiness probes.
